From owner-freebsd-net@freebsd.org  Sun Nov 19 15:20:01 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 93C14D94502
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Sun, 19 Nov 2017 15:20:01 +0000 (UTC)
 (envelope-from vas@mpeks.tomsk.su)
Received: from relay2.tomsk.ru (mail.sibptus.tomsk.ru [212.73.124.5])
 by mx1.freebsd.org (Postfix) with ESMTP id 0372B7C1BC
 for <freebsd-net@freebsd.org>; Sun, 19 Nov 2017 15:20:00 +0000 (UTC)
 (envelope-from vas@mpeks.tomsk.su)
X-Virus-Scanned: by clamd daemon 0.98.5_1 for FreeBSD at relay2.tomsk.ru
Received: from [212.73.125.240] (HELO admin.sibptus.transneft.ru)
 by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.16)
 with ESMTPS id 39869861; Sun, 19 Nov 2017 21:15:13 +0600
Received: from admin.sibptus.transneft.ru (sudakov@localhost [127.0.0.1])
 by admin.sibptus.transneft.ru (8.15.2/8.15.2) with ESMTP id vAJFJwoQ084338;
 Sun, 19 Nov 2017 22:19:58 +0700 (+07)
 (envelope-from vas@mpeks.tomsk.su)
Received: (from sudakov@localhost)
 by admin.sibptus.transneft.ru (8.15.2/8.15.2/Submit) id vAJFJuRI084337;
 Sun, 19 Nov 2017 22:19:56 +0700 (+07)
 (envelope-from vas@mpeks.tomsk.su)
X-Authentication-Warning: admin.sibptus.transneft.ru: sudakov set sender to
 vas@mpeks.tomsk.su using -f
Date: Sun, 19 Nov 2017 22:19:56 +0700
From: Victor Sudakov <vas@mpeks.tomsk.su>
To: Eugene Grosbein <eugen@grosbein.net>
Cc: Eric Masson <emss@free.fr>, freebsd-net@freebsd.org,
 Jim Thompson <jim@netgate.com>, "Muenz, Michael" <m.muenz@spam-fetish.org>
Subject: Re: OpenVPN vs IPSec
Message-ID: <20171119151956.GK82727@admin.sibptus.transneft.ru>
References: <20171118165842.GA73810@admin.sibptus.transneft.ru>
 <b96b449e-3dc1-6e75-e803-e6d6abefe88e@spam-fetish.org>
 <20171119120832.GA82727@admin.sibptus.transneft.ru>
 <86o9nytmma.fsf@newsrv.interne.associated-bears.org>
 <20171119145116.GE82727@admin.sibptus.transneft.ru>
 <5A119DDF.4090809@grosbein.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5A119DDF.4090809@grosbein.net>
Organization: AO "Svyaztransneft", SibPTUS
X-PGP-Key: http://www.dreamwidth.org/pubkey?user=victor_sudakov
X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9  3532 0DA4 F259 9B5E C634
User-Agent: Mutt/1.9.1 (2017-09-22)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Nov 2017 15:20:01 -0000

Eugene Grosbein wrote:
> 
> > And the kernel IPsec implementation has had problems with NAT
> > traveral. Does it stil have problems and requre extra patches for NAT
> > traveral?
> 
> No, it has not after IPSec code overhaul in times of 11.0-STABLE.
> NAT traversal works out-of-box these days not requiring extra patches.

Glad to hear that. Also, in 11.x no kernel recompilation is needed to
enable IPSec.

So maybe when I eventually migrate all my hosts to the 11th branch, it
will be time for me to give IPSec a second chance, with all that nice
if_ipsec stuff.

> 
> It needs "nat_traversal on" in the racoon.conf, though.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
AS43859